This work was done in collaboration and the support of Transitions Online
Computers and the Internet are all about information gathering, storage and exchange. Hence, the topic of security in the digital realm relates to the security of information and its communication. The Internet, in theory, provides everyone with an equal opportunity to access and disseminate information. Yet, as time has shown, this is not always the case. Governments and corporations realize the importance and value of controlling information flows, and of being able to decide when to restrict them. The security of information is further complicated by malicious individuals creating computer viruses and hacking into computer systems, often with no other motive than causing damage.
Confusion and complexity is heightened by the abundance of software, hardware and electronic devices built to interact with an increasingly sophisticated and complicated network. Users have to immerse themselves in concepts and technology that seem to be far removed from the real world. The security of your information, online identity and the privacy of your communications falls first and foremost upon your shoulders and requires comprehension of how the Internet and your computer actually work.
The Internet has profoundly changed social interaction and the dissemination of ideas and knowledge. Publication is no longer restricted by geographic or financial boundaries, and any citizen could become a journalist and reach a global audience.
This online training course has several objectives. It aims to educate and raise awareness to the technical aspects behind computer and Internet operations as a precursor to explaining inherent digital risks and vulnerabilities. Because it is virtually impossible to predict and describe in advance every security situation that one could encounter – the emphasis here is to provide enough background information and explanation of risks to make the user aware of the problem and able to make an educated and appropriate response. The other objective is to provide solutions to the most common security threats faced by journalists working in politically repressive countries, as well as links and references to software tools and manuals for further study and exploration of the subject.
Lesson 1 - The Internet and its Pitfalls
This chapter is a requirement to understanding other topics covered in Lesson 1 and throughout the Internet Security Course.
A distinction must be made between what we perceive as surveillance in the physical world – a person watching and shadowing your movements, and what occurs on the Internet.
Lesson 2 – Privacy! On the Internet?
The Internet is a network of networks passing data through numerous intermediary computers and routers. Data typically travels the Internet in a readable (insecure) format. Your search query on Google or your Yahoo email message is accessible to your local Internet service provider as well as the body monitoring the national telecommunications infrastructure. By default, there is no privacy in Internet communications and many become victims of random and targeted network surveillance and traffic analysis. There are however, certain steps and measures you can take, some easier than others, to ensure a level of privacy in your Internet communications.
The open - we can see everything that you send and receive - Internet could not become a powerful medium for business nor could it ensure a general users' expectation of privacy.
Instant messaging tools such as MSN Messenger and Yahoo Chat also use open channels for communicating your information. Everything you send or receive using these programs is liable to surveillance.
Lesson 3 – Goodbye Censorship!
Many countries around the world have installed software and underlying infrastructure that prevents Internet users within those countries from accessing certain websites and Internet services. Companies, schools and public libraries often use similar software to protect their employees, students and patrons from material that they consider distracting or harmful. This kind of filtering technology comes in a number of different forms. Some filters block a site based on its IP address, while others blacklist certain domain names or keywords contained in web pages or your search queries.
Regardless of what filtering methods are present, it is nearly always possible to evade them by relying on intermediary computers, outside your country, to reach blocked services for you. This process is often called censorship circumvention, or simply circumvention, and the intermediary computers are called proxies. Proxies, too, come in many different forms. Some Internet services such as RSS readers and online translators perform the function of a proxy without necessarily being created for circumvention. There are also especially dedicated proxy servers, virtual private networks multiple-proxy anonymity networks. It is difficult to say in advance which particular technique will work to bypass the censorship mechanisms in place in your country and it is worthwhile to be aware of several different methods. Each offers its own particular method for getting around restrictions, at the same time each method is vulnerable in its own way. This chapter describes the various ways to circumvent censorship and explains when these methods may or may not work.
Censoring the channel of dissemination can take place at two different moments within an information cycle. Pre-publication – when the original message is prevented from being disseminated. This includes self-censorship, legislation and editorial or managerial interference with material to be published or made available to the public. Post-publication – when the audience is prevented from accessing an existing message or content communicated to them. Primarily this involves access to Internet websites and online services, and will be explained and discussed in this module.
If you cannot go directly to a website because it is blocked by one of the methods discussed above, you will need to find a way around the obstruction. Many methods exist to circumvent the blocklists, which are only effective when a website is requested directly. If a third party is called to fetch a website for us, then these lists become irrelevant. For over a decade, netizens living in censored Internet environments have been using online translation and caching services to access a website indirectly. Others have relied on anonymisers, whose original intent was to conceal your identity from a website.
Lesson 4 - Digital information management
This section describes the technology and methods for managing your digital data. We will talk about preventing unauthorized access to your data, making sure that you do not lose important documents and we will discuss the correct procedures for destroying unwanted data as well as cleaning a computer of traces left behind from past working sessions. Secure data management should be on the top of your to-do list if you work with information that you do not want to lose or expose to an outside party. Once you have set-up the tools described in this chapter and assimilate the processes into your daily working routine, you will make a huge leap towards keeping your data private and secure.
Unauthorized access to the information on your computer or portable storage devices can be carried out remotely, if the 'intruder' is able to read or modify your data over the Internet; or physically, if he manages to get hold of your hardware or simply sit behind your computer.
You may be concerned that your encrypted volume not only protects your data from unauthorized access but also indicates precisely where you store the information that you most wish to protect. In a tight situation you could be forced to reveal the volume password through intimidation, interrogation and possibly worse.
Fact: when you delete a file, even after you empty the Recycle bin, the contents of that file remain on your hard drive and can be recovered by anyone who has the right tools and a little luck. Aside from destroying unwanted data from your digital memory device, you should also consider destroying temporary files.
It is too late to think about having a backup once you lose or break your computer, USB memory stick. Obviously an up to date backup has to created in advance of the catastrophe.
Lesson 5 – Digital investigative journalism
The modern journalist must be aware of basic Internet infrastructure and operations. Certain clues accompany every website, email and digital media file – that could reveal information about the sender or the source otherwise hidden from the naked eye. Those who invest a lot of time and energy into maintaining social networks should also be aware of the risks from online profiling that they expose themselves and others to. This lesson will cover methods to identify the location of a particular website, reveal the sender of an email message, view technical details of a digital media file, discuss privacy implications regarding mobile telephone use and list several precautions for using social media platforms, in particular Facebook.
We are prone to identify and authenticate email messages by the sender's name and email address. This Lesson will help you analyse and validate the real sender of a received email message.
Just like every email message records the IP address of the server it is sent from, so does every digital document contain details about the time it was created, the device that created it and other useful information.
In the physical world we are identified by passport to our government and by recognition to our friends. A drivers licence, a social security or tax file number and our reputation serve as distinguishing features of our identity and associations.
You may have heard or already know that mobile telecomunnications are insecure by default. Did you know that your geigraphical location can be pinpointed thanks the phone in your pocket?
Lesson 6 – Seven steps to better passwords
A password is often the first (and last) line of defense – protecting unauthorized access to your computer or an Internet account. A password is like a key to a door. You may have several different keys for your home, your office, your car and your safe. None of the locks are the same and you have a collection of different keys to open them. The same should apply to your passwords. Each account should have its own strong password. The definition of a strong password is one that cannot easily be guessed, cracked or stolen by an attacker. This chapter explains how to create and remember strong passwords and how not to lose them!